In one of those “reflect on the last year” sort of pieces, Jamie Condliffe at Gizmodo built an article around the “The 25 Most Popular Passwords of 2015” which is subtitled “We’re All Such Idiots.” I’m not sure I’m willing to accept that we’re idiots, but the article spawned an interesting question: what would someone do with that list? It was another journalist who asked that question. The reason he asked is because people still have that lone wolf in a hoodie image of the bad guys doing cyber harm. They may be wearing hoodies (like most everyone in tech these days), but they are not sitting there trying to break one thing at a time. The enemy is automated, which is the right move in the huge scale of the internet today.
Couple a list of the 25 most common passwords with a spammer’s list of known good email addresses, and you have a great list to run down an online banking site. Just sit there trying to log in as different users, make sure you space them out well enough not to lock out the accounts (timing which you can learn with a test pass), and wait until a few of them get past the login page. If that sounds like a long, boring task – congratulations! You’ve passed the Turing Test. A long, boring but potentially rewarding task like that is what computers are for. In other words, it’s something anyone who knows technology would automate. And that’s the danger of the laziness of humans using bad passwords. Bad guys can use a computer’s ability to execute mind-numbing tasks to monetize that laziness with a bit of code and a lot of bad intentions.
Automation is an Enemy and a Friend
Recently I spoke with an analyst who, when I mentioned the idea that our privileged access management solution can take a sandboxing platform like FireEye and hook it up to an automated response, recoiled saying that would make him and most customers he speaks with nervous. They have tried doing things like DNS shutdown and other malware remediation steps and have been burned as production work ground to a halt. However he immediately saw the difference when I walked him through the idea of simply rotating credentials at the point in time of an active attack as a response. A response that would cut off the attacker’s access to the privilege needed to succeed, without effecting legitimate users who were already going through a process to gain access to privilege on demand.
This is neither rocket science, nor is it original. After one of the major data breaches of last year (think top 3 by notoriety), many consultants parachuted in from the biggest names in the IT security business. They sat and stared at tons of screens, drank lots of caffeine, and after 36 hours concluded that all the privileged credentials should be changed. Now imagine that was an automated response that would have happened the moment the big icon went red. Of course that would have been better. The key is that since the legitimate users wouldn’t have access to always on privilege in that scenario anyway, the only ones feeling the pain of the automated response are the bad guys.
It’s the Smart Part that Stings
When you use phrases like “brute force” and “simple attacks” it may seem that the bad guys are pretty dumb. Many of them are. They pick up the tools they find and point them in the right directions. Their only original thought is to attack someplace new. However, the reason they are successful is because someone much smarter forged the path. Someone figured out how to automate these cyber attacks. Someone found the vulnerabilities to exploit. Someone did all the smart work up front.
It’s no different when you think about an automated response to an attack. Getting to the place where no one has persistent access to privilege means that someone pretty smart has to lead the organization to that state. First, they have to recognize the need and the benefits. Then they have to make the program happen. Perhaps hardest of all, they have to affect the behavior changes in the organization to support the new program. And, of course, they have to get the technology wired up to make it possible. Once that’s all in place it’s easy to push a button as an automated response, knowing you have the tools and the talent all lined up. That’s when you can make automation your ally instead of your enemy.